Florida HIPAA compliance mandates healthcare organizations to align with the federal HIPAA law, coupled with Florida’s state privacy law. The Florida Information Protection Act of 2014 (FIPA) is known to outline privacy rules for establishments handling personal information in the state of Florida.

While it is critical to adhere to both laws, there are situations where the requirements of one law can help satisfy the other law. However, in a case where one law is more stringent, entities are advised to comply with the stricter law.

Although the federal government has HIPAA rules governing personal information, every state in the United States has its own set of laws when it comes to how patient medical data is protected and handled. In Florida, FIPA is noted to be the state’s law counterpart of the federal government’s HIPAA.

However, FIPA in many ways is known to be more extensive and stringent than HIPAA. At the federal level, HIPAA is administered by one organization, and that is the federal government through the Department of Labor. In recent times, the Medicare and Medicaid Services have started to administer both the Rules covering the standardization of information and the HIPAA Security Rule.

But when it comes to the HIPAA Privacy Rule, the Office of Civil Rights is the enforcement entity. In Florida, the Department of Health is tasked with enforcing state privacy rules. Under FIPA, companies are expected to take certain measures to guarantee the safe handling and protection of personal information.

It simply means that companies are expected to take measures to avoid anything that will endanger this personal information by establishing and implementing policies – as against waiting to respond to a breach after it has already happened.

In a situation where a security breach affects over 500 people, covered entities are mandated to notify the Florida Attorney General as quickly as possible, but no more than 30 days after the determination of the breach or reason to believe a breach occurred.

Steps to Report HIPAA Violations in Florida

Note that just anyone can report a HIPAA violation as long as they have a reason to believe that they have been involved in an accident that goes against HIPAA laws. To report, here are steps to take;

  1. File a Complaint with OCR

To report HIPAA violations, you have to file a complaint to the Office of Civil Rights. Note that you can file this complaint in writing by e-mail, mail, or through the OCR Complaint Portal. Requirements for filing a HIPAA Privacy Complaint include:

  • File the complaint within 180 days of when you discovered that the act you’re complaining about took place.
  • Ensure to provide extensive details about yourself or the affected individual.
  • Name the covered entitled or third-party associate involved.
  • Provide details of the complaint, describing the acts you believe violate the requirements of the HIPAA rules.
  • Once you have submitted your HIPAA Privacy Complaint, the OCR will go ahead and investigate the covered entity.
  1. File a complaint with the DOH

Aside from licensing all healthcare professionals practicing in the state, the Florida Department of Health (DOH) is also tasked with reviewing complaints filed against them. If a FIPA-covered entity is found in violation of patient confidentiality, it does can be held liable under the data privacy laws.

Owing to that, if you or someone has been in an accident due to a HIPAA or FIPA compliance violation, note that you can also file a complaint or report to the Florida DOH against the responsible health professional. If the health professional is licensed in another state, you will be expected to follow that state’s procedure for filing a HIPAA complaint.

  1. File a Report with a Third-Party Payer

Note that patients with Tricare, Medicare, VA, military, or Public Health Service can report or file their complaint to the Office of the Inspector General of that exact agency. However, note that you don’t always have the luxury of time when it has to do with filing your complaint after you have discovered a HIPAA violation.

Owing to that, it is advisable you file a complaint at once. To get the best possible outcomes, you are advised to seek the expertise of a competent and experienced attorney.

Common HIPAA Violations in the State of Florida

In the state of Florida, here are some of the most common HIPAA violations to be wary of;

Information disclosure: When employees of a covered entity divulge PHI to unauthorized individuals, their employer is believed to have violated HIPAA regulations.

Inadequate PHI access controls: Aside from being barred from disclosing PHI, employees of covered entities are also restricted from accessing patient files if they’re not permitted to. Illegal access to patient files is considered a serious HIPAA violation.

Lack of a risk analysis policy: Covered entities are expected to carry out risk analysis regularly to note whether PHI is prone to attacks. Failure to do this is also considered a serious HIPAA violation.

Lack of a risk management policy: Once risks are identified, covered entities are expected to immediately implement a risk management process to handle those risks in a reasonable time frame. Note that failure to implement a risk management plan is considered a HIPAA violation.

Lack of HIPAA-compliant agreements: Covered entities will also have to enter into HIPAA-compliant agreements with third-party agents, including vendors and business associates. Also, note that not doing this is considered a HIPAA violation.

Failure to PHI on Portable Devices: The inability to protect devices containing PHI, such as using strong passwords and encryption, is noted as a HIPAA violation. Downloading PHI to personal and unprotected devices is also noted as a gross violation in the State of Florida.

Exceeding the deadline for issuing breach notifications: In Florida, covered entities are expected to issue breach notifications within 30 days after finding out about a data breach. Defaulting is more or less considered a HIPAA violation.

Improper disposal of PHI: HIPAA rules mandate covered entities to securely destroy PHI that’s no longer needed. Failure to do this is considered a direct HIPAA violation.

Limiting patients from accessing their PHI: Under HIPAA, patients are expected to be granted access to their medical records and get copies on request. Owing to that, denying patients this right is a violation of HIPPA.


Outlined above are some of the few ways to report HIPAA violations in the State of Florida. Although the OCR is the primary organization that receives complaints, you can leverage other ways of reporting if you do not feel comfortable going through this particular process.

Also note that you can report to your supervisor, your company’s Privacy Officer, or the Compliance officer when you suspect there’s a HIPAA violation in your organization. Once they receive the complaint, the organization is expected to investigate the violation internally and note whether the complaint meets the threshold for reporting under the breach notification rule.